Tuesday, July 11, 2017

This seems important, and completely lost in the shuffle (and I'm assuming will be ignored by all the fine analysts of documents who pop up to blame Putin for something or other). "New Blockbuster Research Shows Guccifer 2.0 Files Were Copied Locally, Not Hacked" (and see comment by LyLo: "Various 4chan autists seem to be of the belief that "Guccifer 2.0" is, in fact, the DNC staging a leak. Which would totally align with this new information, unlike most other running theories (Rich aside). (Not necessarily endorsing, just wanted to throw that out there.)":

"The document states that the files that eventually published as "NGP-VAN" by Guccifer 2.0 were first copied to a system located in the Eastern Time Zone, with this conclusion supported by the observation that "the .7z file times, after adjustment to East Coast time fall into the range of the file times in the .rar files." This constitutes the first of a number of points of analysis which suggests that the information eventually published by the Guccifer 2.0 persona was not obtained by a Russian hacker.

The Forensicator stated in their analysis that a USB drive was most likely used to boot Linux OS onto a computer that either contained the alleged DNC files or had direct access to them. They also explained to us that in this situation one would simply plug a USB drive with the LinuxOS into a computer and reboot it; after restarting, the computer would boot from the USB drive and load Linux instead of its normal OS. A large amount of data would then be copied to this same USB drive.

In this case, additional files would have been copied en masse, to be "pruned" heavily at a later time when the 7zip archive now known as NGP-VAN was built. The Forensicator wrote that if 1.98 GB of data had been copied at a rate of 22.6 MB/s and time gaps t were noticed at the top level of the NGP-VAN 7zip file were attributed to additional file copying, then approximately 19.3 GB in total would have been copied. In this scenario, the 7zip archive (NGP-VAN) would represent only about 10% of the total amount of data that was collected.

The very small proportion of files eventually selected for use in the creation of the "NGP-VAN" files were later published by the creators of the Guccifer 2.0 persona. This point is especially significant, as it suggests the possibility that up to 90% of the information initially copied was never published.

The use of a USB drive would suggest that the person first accessing the data could not have been a Russian hacker. In this case, the person who copied the files must have physically interacted with a computer that had access to what Guccifer 2.0 called the DNC files. A less likely explanation for this data pattern where large time gaps were observed between top level files and directories in the 7zip file, can be explained by the use of 'think time' to select and copy 1.9 GB of individual files, copied in small batches with think time interspersed. In either scenario, Linux would have been booted from a USB drive, which fundamentally necessitates physical access to a computer with the alleged DNC files.

The Forensicator believed that using the possible 'think-time' explanation to explain the time-gaps was a less likely explanation for the data pattern available, with a large amount of data most likely copied instantaneously, later "pruned" in the production of the Guccifer 2.0's publication of the NGP-VAN files.

Both the most likely explanation and the less likely scenario provided by The Forensicator's analysis virtually exclude the possibility of a Russian or remote hacker gaining external access to the files later published as "NGP-VAN." In both cases, the physical presence of a person accessing a containing DNC information would be required.

Importantly, The Forensicator concluded that the chance that the files had been accessed and downloaded remotely over the internet were too small to give this idea any serious consideration. He explained that the calculated transfer speeds for the initial copy were much faster than can be supported by an internet connection. This is extremely significant and completely discredits allegations of Russian hacking made by both Guccifer 2.0 and Crowdstrike.

This conclusion is further supported by analysis of the overall transfer rate of 23 MB/s. The Forensicator described this as "possible when copying over a LAN, but too fast to support the hypothetical scenario that the alleged DNC data was initially copied over the Internet (esp. to Romania)." Guccifer 2.0 had claimed to originate in Romania. So in other words, this rate indicates that the data was downloaded locally, possibly using the local DNC network. The importance of this finding in regards to destroying the Russian hacking narrative cannot be overstated.

If the data is correct, then the files could not have been copied over a remote connection and so therefore cannot have been "hacked by Russia."

The use of a USB drive would also strongly suggest that the person copying the files had physical access to a computer most likely connected to the local DNC network. Indications that the individual used a USB drive to access the information over an internal connection, with time stamps placing the creation of the copies in the East Coast Time Zone, suggest that the individual responsible for initially copying what was eventually published by the Guccifer 2.0 persona under the title "NGP-VAN" was located in the Eastern United States, not Russia."

" . . . any data that is passed from the servers of the Democratic National Committee (DNC) or of Hillary Rodham Clinton (HRC) – or any other server in the U.S. – is collected by the NSA. These data transfers carry destination addresses in what are called packets, which enable the transfer to be traced and followed through the network.

Packets: Emails being passed across the World Wide Web are broken down into smaller segments called packets. These packets are passed into the network to be delivered to a recipient. This means the packets need to be reassembled at the receiving end.

To accomplish this, all the packets that form a message are assigned an identifying number that enables the receiving end to collect them for reassembly. Moreover, each packet carries the originator and ultimate receiver Internet protocol number (either IPV4 or IPV6) that enables the network to route data.

When email packets leave the U.S., the other “Five Eyes” countries (the U.K., Canada, Australia, and New Zealand) and the seven or eight additional countries participating with the U.S. in bulk-collection of everything on the planet would also have a record of where those email packets went after leaving the U.S.

These collection resources are extensive . . . they include hundreds of trace route programs that trace the path of packets going across the network and tens of thousands of hardware and software implants in switches and servers that manage the network. Any emails being extracted from one server going to another would be, at least in part, recognizable and traceable by all these resources.

The bottom line is that the NSA would know where and how any “hacked” emails from the DNC, HRC or any other servers were routed through the network. This process can sometimes require a closer look into the routing to sort out intermediate clients, but in the end sender and recipient can be traced across the network.

The various ways in which usually anonymous spokespeople for U.S. intelligence agencies are equivocating – saying things like “our best guess” or “our opinion” or “our estimate” etc. – shows that the emails alleged to have been “hacked” cannot be traced across the network. Given NSA’s extensive trace capability, we conclude that DNC and HRC servers alleged to have been hacked were, in fact, not hacked.

The evidence that should be there is absent; otherwise, it would surely be brought forward, since this could be done without any danger to sources and methods. Thus, we conclude that the emails were leaked by an insider – as was the case with Edward Snowden and Chelsea Manning. Such an insider could be anyone in a government department or agency with access to NSA databases, or perhaps someone within the DNC.

As for the comments to the media as to what the CIA believes, the reality is that CIA is almost totally dependent on NSA for ground truth in the communications arena. Thus, it remains something of a mystery why the media is being fed strange stories about hacking that have no basis in fact. In sum, given what we know of NSA’s existing capabilities, it beggars belief that NSA would be unable to identify anyone – Russian or not – attempting to interfere in a U.S. election by hacking."

This seems important, and completely lost in the shuffle (and I'm assuming will be ignored by all the fine analysts of documents who pop up to blame Putin for something or other). "New Blockbuster Research Shows Guccifer 2.0 Files Were Copied Locally, Not Hacked" (and see comment by LyLo: "Various 4chan autists seem to be of the belief that "Guccifer 2.0" is, in fact, the DNC staging a leak. Which would totally align with this new information, unlike most other running theories (Rich aside). (Not necessarily endorsing, just wanted to throw that out there.)":

"The document states that the files that eventually published as "NGP-VAN" by Guccifer 2.0 were first copied to a system located in the Eastern Time Zone, with this conclusion supported by the observation that "the .7z file times, after adjustment to East Coast time fall into the range of the file times in the .rar files." This constitutes the first of a number of points of analysis which suggests that the information eventually published by the Guccifer 2.0 persona was not obtained by a Russian hacker.

The Forensicator stated in their analysis that a USB drive was most likely used to boot Linux OS onto a computer that either contained the alleged DNC files or had direct access to them. They also explained to us that in this situation one would simply plug a USB drive with the LinuxOS into a computer and reboot it; after restarting, the computer would boot from the USB drive and load Linux instead of its normal OS. A large amount of data would then be copied to this same USB drive.

In this case, additional files would have been copied en masse, to be "pruned" heavily at a later time when the 7zip archive now known as NGP-VAN was built. The Forensicator wrote that if 1.98 GB of data had been copied at a rate of 22.6 MB/s and time gaps t were noticed at the top level of the NGP-VAN 7zip file were attributed to additional file copying, then approximately 19.3 GB in total would have been copied. In this scenario, the 7zip archive (NGP-VAN) would represent only about 10% of the total amount of data that was collected.

The very small proportion of files eventually selected for use in the creation of the "NGP-VAN" files were later published by the creators of the Guccifer 2.0 persona. This point is especially significant, as it suggests the possibility that up to 90% of the information initially copied was never published.

The use of a USB drive would suggest that the person first accessing the data could not have been a Russian hacker. In this case, the person who copied the files must have physically interacted with a computer that had access to what Guccifer 2.0 called the DNC files. A less likely explanation for this data pattern where large time gaps were observed between top level files and directories in the 7zip file, can be explained by the use of 'think time' to select and copy 1.9 GB of individual files, copied in small batches with think time interspersed. In either scenario, Linux would have been booted from a USB drive, which fundamentally necessitates physical access to a computer with the alleged DNC files.

The Forensicator believed that using the possible 'think-time' explanation to explain the time-gaps was a less likely explanation for the data pattern available, with a large amount of data most likely copied instantaneously, later "pruned" in the production of the Guccifer 2.0's publication of the NGP-VAN files.

Both the most likely explanation and the less likely scenario provided by The Forensicator's analysis virtually exclude the possibility of a Russian or remote hacker gaining external access to the files later published as "NGP-VAN." In both cases, the physical presence of a person accessing a containing DNC information would be required.

Importantly, The Forensicator concluded that the chance that the files had been accessed and downloaded remotely over the internet were too small to give this idea any serious consideration. He explained that the calculated transfer speeds for the initial copy were much faster than can be supported by an internet connection. This is extremely significant and completely discredits allegations of Russian hacking made by both Guccifer 2.0 and Crowdstrike.

This conclusion is further supported by analysis of the overall transfer rate of 23 MB/s. The Forensicator described this as "possible when copying over a LAN, but too fast to support the hypothetical scenario that the alleged DNC data was initially copied over the Internet (esp. to Romania)." Guccifer 2.0 had claimed to originate in Romania. So in other words, this rate indicates that the data was downloaded locally, possibly using the local DNC network. The importance of this finding in regards to destroying the Russian hacking narrative cannot be overstated.

If the data is correct, then the files could not have been copied over a remote connection and so therefore cannot have been "hacked by Russia."

The use of a USB drive would also strongly suggest that the person copying the files had physical access to a computer most likely connected to the local DNC network. Indications that the individual used a USB drive to access the information over an internal connection, with time stamps placing the creation of the copies in the East Coast Time Zone, suggest that the individual responsible for initially copying what was eventually published by the Guccifer 2.0 persona under the title "NGP-VAN" was located in the Eastern United States, not Russia."

" . . . any data that is passed from the servers of the Democratic National Committee (DNC) or of Hillary Rodham Clinton (HRC) – or any other server in the U.S. – is collected by the NSA. These data transfers carry destination addresses in what are called packets, which enable the transfer to be traced and followed through the network.

Packets: Emails being passed across the World Wide Web are broken down into smaller segments called packets. These packets are passed into the network to be delivered to a recipient. This means the packets need to be reassembled at the receiving end.

To accomplish this, all the packets that form a message are assigned an identifying number that enables the receiving end to collect them for reassembly. Moreover, each packet carries the originator and ultimate receiver Internet protocol number (either IPV4 or IPV6) that enables the network to route data.

When email packets leave the U.S., the other “Five Eyes” countries (the U.K., Canada, Australia, and New Zealand) and the seven or eight additional countries participating with the U.S. in bulk-collection of everything on the planet would also have a record of where those email packets went after leaving the U.S.

These collection resources are extensive . . . they include hundreds of trace route programs that trace the path of packets going across the network and tens of thousands of hardware and software implants in switches and servers that manage the network. Any emails being extracted from one server going to another would be, at least in part, recognizable and traceable by all these resources.

The bottom line is that the NSA would know where and how any “hacked” emails from the DNC, HRC or any other servers were routed through the network. This process can sometimes require a closer look into the routing to sort out intermediate clients, but in the end sender and recipient can be traced across the network.

The various ways in which usually anonymous spokespeople for U.S. intelligence agencies are equivocating – saying things like “our best guess” or “our opinion” or “our estimate” etc. – shows that the emails alleged to have been “hacked” cannot be traced across the network. Given NSA’s extensive trace capability, we conclude that DNC and HRC servers alleged to have been hacked were, in fact, not hacked.

The evidence that should be there is absent; otherwise, it would surely be brought forward, since this could be done without any danger to sources and methods. Thus, we conclude that the emails were leaked by an insider – as was the case with Edward Snowden and Chelsea Manning. Such an insider could be anyone in a government department or agency with access to NSA databases, or perhaps someone within the DNC.

As for the comments to the media as to what the CIA believes, the reality is that CIA is almost totally dependent on NSA for ground truth in the communications arena. Thus, it remains something of a mystery why the media is being fed strange stories about hacking that have no basis in fact. In sum, given what we know of NSA’s existing capabilities, it beggars belief that NSA would be unable to identify anyone – Russian or not – attempting to interfere in a U.S. election by hacking."